The Health Insurance Portability · The Health Insurance Portability & Accountability Act...

The Health Insurance Portability & Accountability Act (HIPAA)

Passed by Congress in 1996• Portability – Transfer of Health Insurance

Coverage• Accountability – Prevent Healthcare Fraud and

Abuse • Administrative Simplification – Decrease Costs

and Administrative Burdens

Administrative Simplification

• Transaction and Code Sets – Mandates Standard Electronic Transaction Formats and Code Sets

• Security – Final Rule Pending• Privacy Rule – Main Focus of Training

HIPAA Privacy Rule

• Increased Risks for Invasion of Privacy• Public and Congressional Concern about Healthcare Privacy• Support for Provider-Patient Relationship• National Standards to Protect Protected Health Information (PHI)• National Boundaries on Use and Release of Health Records• Appropriate Safeguards for Protection of PHI• Disclosure for Public Health Purpose• Civil and Criminal Penalties

Overview

Individuals Have the Rights to:• An Accounting of Disclosures• Release of Minimum Necessary• A Copy of Health Record• Request Corrections• Control Some Uses and Disclosures of PHI• File Complaints with Indian Health Service (IHS) and Office for

Civil Rights• Submit Written Requests for Notice of Information• Have Reasonable Requests for Confidential Communication of

PHI Accommodated

OverviewHIPAA Privacy Rule

Who and What is Covered

• Healthcare Providers • Government and Private Health Plans • Healthcare Clearinghouses • Business Associates

Recent Misuses of Patient Health Information

• Banker Collects On Cancer Patients’ Mortgages• Hospital Employee Sells Country Singer’s Medical Records for

$2610• Psychological Records of 62 Children Accidentally Posted on

Web Site• NC Physician’s Laptop with Patient Medical Histories Stolen• health.org Exposes Customer Names, Addresses, Phone

Numbers, and Email Addresses on Web• Washington DC Hospital Fined $25,000• Sick Employee Fired by Self-Insured Employer

Video – See Transcript in Notes Below

Health Information and PHIHealth Information is Oral or Recorded Information

that:• Is Created/Received by a Healthcare Provider, Health

Plan, Public Health Authority, Employer, Life Insurer, School or University or Healthcare Clearinghouse

• Relates to the Past, Present and/or Future Physical or Mental Health or Other Health Condition

• Concerns the Provision of Healthcare• Relates to Past, Present or Future Payment PHI is Defined as Health Information that is:• Individually identifiable • Transmitted or Maintained in any Form or Medium

The Importance of PHI Security

• Required by Law

• Earns Patient Trust

• Privacy and Security of Information

• Sets Federal Minimum Standards and Safeguards to Protect PHI

• Preempts Weaker State Laws

• Does Not Supercede Federal Laws or Privacy Act

Trust Impacts Quality of Care

• Detection and Treatment of All Conditions • Accurate and Complete Health Records • Highest Quality Healthcare• Reduces Healthcare Cost• Patients Do Not Move from One Facility/Provider to Another

If Patients Do Not Trust Us They• Do Not Seek Treatment• Give Incomplete or Inaccurate Information• Move from One Provider to Another• Ask the Provider Not to Record Their Actual Condition

Earn Patient’s Trust

• Know IHS Forms P&P

• Respect Patient’s Right to Privacy

• Treat All Records as if They Are Your Own

• Be Sensitive to Privacy in All Situations

Training Requirements

• IHS Must Provide HIPAA Training to All Employees, Volunteers, and Contractors

• New Employees Must Receive Training No Later Than 30 Days After Beginning Duty

• Department-Specific Training• Revised Training When Policies are Revised• Training Must Be Documented and

Maintained for Six Years

Learn Train & Protect

Train-the-trainer Kit Includes:• Interactive CD • Quick Reference Cards • Forms, Policies, Procedures• Web Support

Training Provided to• Area HIPAA Coordinators • Privacy Act Liaison (PAL)• Individual Providers• HIPAA Service Unit (SU) Coordinators• IHS Consultants & Volunteers• All Employees

Noncompliance? Not An Option!

Enforcement and Penalties For Noncompliance

Civil Monetary Penalties:• $100 Per Violation • Capped at $25,000 Per Calendar Year Per

Violation• Enforced by Office for Civil Rights

Overview

Penalties for Noncompliance

• Civil Service Employees May Face Discipline Up to and Including Termination

• Commissioned Corps Officers May Face Discipline Up to and Including Recommendation for Termination of Commission

• All Employees May Be Held Individually Accountable

Penalties for Noncompliance• Up to $50,000 Fine and 1 Year Imprisonment for

Knowingly Obtaining or Disclosing Individually Identifiable Health Information

• Up to $100,000 and 5 Years Imprisonment if Done Under False Pretenses

• Up to $250,000 and 10 Years Imprisonment if Done With Intent to Sell, Transfer, or Use for Commercial Advantage, Personal Gain or Malicious Harm

• Enforced by U.S. Department of Justice (DoJ)

Notice of Privacy Practices

• How to Review the Notice with Patients• How to Respond to Their Questions• What to Do in Emergency Situations• What to Do When Patient Won’t Sign

Notice of Privacy Practices

Reviewing with Patients

Explain That Health Records Are Used to• Plan for Care and Treatment • Communicate Among Healthcare Professions• Check Results and Improve Care • Verify Services Billed• Educate Healthcare Professionals • Improve Health of All People• Support Medical Research• Conduct Facility Planning and Marketing• Maintain Legal Healthcare Records

Explain That Patient Must Understand His/Her Own Health Record in Order to:

• Ensure Accuracy • Understand Why Others May Review His/Her PHI• Make Informed Decisions Regarding Disclosures

Explain Patient’s Right to: • Receive and Inspect Health Records• Request Restrictions• Request Corrections and/or Amendments • Request Confidential Communications• Receive a List of Certain Disclosures• Revoke Written Authorization to Disclose or Use

Health Information• Receive a Paper Copy of the IHS Notice of Privacy

Practices

Explain to Patient IHS’s Responsibilities to • Maintain Privacy of Information• Inform Individuals about Privacy Practices• Notify Patients if Requests for Restriction are

Denied• Accommodate Reasonable Requests for

Alternative Communications• Honor All Terms of Notice of Privacy

Practices

Notice of Privacy Procedures

Beginning April 14, 2003:• Review Notice with Patient• Answer Patient Questions• Refer Unanswered Questions to SU Privacy Act

Liaison (PAL)/SU HIPAA Coordinator• Do Not Agree to Anything Verbally• Obtain Patient Signature on Acknowledgement• Place in Patient Health Record

After April 14, 2003:• Check Record for Existing Acknowledgement• If Acknowledgement Is in Record, No Action Is

Required• If Acknowledgement Is Not in Record, Follow

Procedure for Reviewing and Obtaining Signed Acknowledgment

If Patient Refuses to Sign • Note on Acknowledgement That Patient Received Notice

and Reason for Not Signing• Sign and Note Date• Do Not Agree to Anything Verbally• Place Acknowledgement in Patient Record

Notice of Privacy Procedures Q&A

Video - See Transcript in Notes Below

If Emergency or Incapacitation

• Note Situation on Acknowledgment Form, Sign, Date, and Place in Record

• Provide Form to Patient as Soon as They Are Capable of Signing

• Do Not Agree to Anything Verbally

Notice Must be Posted• In a Public Place • Inside or Outside Facility• On Web site

• Understanding Form 810• Helping Patient Fill Out Form 810• Authorization for Use or Disclosure of Health

Information• Disclosure of Minors’ PHI• Verification of Identity Prior to Disclosure

Form IHS-810 Authorization for Use or Disclosure

Disclosures

Form IHS-810

• Provide Yellow Copy of the Signed IHS-810 to the Patient

• Original Form 810 Is Processed by Health Records Staff

• Original Form 810 Is Filed into Patient’s Health Record

• Account for the Disclosure on IHS Form 505 or Electronically (Release of Information [ROI] Software)

• Same Procedure Applies to Valid Written Requests• Expires One Year from Date of Patient Signature

Unless Otherwise Specified by Patient

Written Requests

Written Requests Must Contain: • Requestor’s Name and Address• Date of Request• Date of Birth• Description of Requested Information• Original SignatureIf Correct, Fulfill Request

Form 810 or Written Request

When a Request for Disclosure Is Incomplete • Contact Requestor for Additional Information

Prior to Disclosure• Document Request Clarification with Date

and Initials on Original Authorization Form or Written Request

Written Request Denied

Procedure for Denying Written Request• Notify Patient of Denial of Request• Explain Why Denied• List Specific Information Needed• Inform Patient That They May Use Form 810• A Patient May Obtain the Form by

– Visiting or Calling the Nearest IHS Facility– Visiting the Forms Web Site http://forms.psc.gov

Verification of Identity: In Person

• Responsible IHS Staff Knows Patient Personally• If Not Known Personally, Require One Piece of

Tangible Identification– Driver’s License– Military Identification (ID) Card– Tribal Registration Card– Employment ID Card/Badge– Passport– Alien Registration Card

• Patient Requesting Own PHI Must Have Matching ID

• ID With Name Change Requires Supporting Evidence

• Additional Verification (i.e. Last Visit Made, Parents’ Names, or Place of Birth)

Verification of Identity: Third Party

Law Enforcement Official Must Show• Official Identification• Law Enforcement Request or Court Order

Requesting the Release of PHI

Attorney, Attorney’s Assistant or Insurance Company Representative Must:

• Show Valid Photo ID and Authority (i.e. Business Card)

• Show Proof of Authority to Act

Other Individuals Must Present• Photo ID Matching Individual Named in

Patient Authorization

PHI to Parent, Guardian or Personal Representative:

• Verify Identity of Requestor • Verify Relationship

– Copy of a Birth Certificate– Court Order – Previously Provided Evidence in Medical

Record – Other Evidence of Relationship

Document Verification of Identity on Form 810 • Note Type of ID Presented/Used• Note Documentation of Authority• Initial and Date

Verification of Identity: Request By Mail

Mail to Another Individual:• Request Must Be on Form 810 or Approvable

Written Request• Verify that Name, Address, Particulars, and

Signature on Request Match Those in Patient File• Note or File Request in Medical Record • Note that PHI Was Released in Medical Record• Release PHI to Name and Address of Individual

Listed Only

Verification of Identity: Request by Mail

Request From Other Than Patient:• Requestor Must Show Valid ID and

Documentation of Authority• Staff Will Note on Form 810 or Valid Written

Request the ID and Authority Used • Initial and Date

Verification of Identity: Request by Mail

Variations or Missing Information in Written Requests:

• Contact Requestor • Obtain Explanation and Compliant

Documentation• Note on Form 810 or Valid Written Request

the Explanation, ID and Authority Used • Initial and Date

Verification of Identity: Healthcare Provider

When Receiving Request for PHI in Emergency• Obtain Requesting Provider’s Name, Facility Name,

Location, and Telephone Number• Verify Requestor Identity by Telephoning the Number

Provided• Document Call and Identity of Individual Who Received

the Call • Document the Information Being Sought or Requested• Document the Reason for the Request• Provide Minimum Necessary PHI • Provide Additional Information Requested as in Non-

Emergency

Verification of Identity: Subpoena/Court Order

When Receiving Request for PHI via Court Order, Refer to Area Office Health Records Consultant or Regional Attorney

Required Stamp or Label: All PHI Disclosures

"This information has been disclosed to you from records whose confidentiality is protected by federal law. Federal regulations (45 CFR Part 2) prohibit you from making any further disclosure of it without the specific written consent of the person to whom it pertains, or as otherwise permitted by such regulations. A general authorization for the release of medical or other information is NOT sufficient for this purpose.”

Required Stamp or Label: Alcohol/Substance Abuse Disclosures

“This information has been disclosed to you from records protected by federal confidentiality regulations (42 CFR Part 2). The federal regulations prohibit you from making any further disclosure of it without the specific written consent of the person to whom it pertains, or as otherwise permitted by 42 CFR Part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose. The federal rules restrict any use of the information to criminally investigate or prosecute any alcohol or drug abuse patient.”

Psychotherapy Notes

Notes Recorded by a Mental Health Professional that • Document or Provide Analysis of Conversation in

Private, Group, Joint, or Family Counseling Session• Are Maintained Separate From the Medical Record • Owned by the Mental Health Professional Who

Recorded Them

Psychotherapy Notes

Psychotherapy Notes Do Not Include:• Medication Prescription and Monitoring• Counseling Session Start and Stop Times• Modalities and Frequencies of Treatment Furnished• Results of Clinical Tests• Summary of

–Diagnosis–Functional Status–Treatment Plans–Symptoms–Prognosis–Progress to Date

P&P for Psychotherapy Notes: Disclosure to Patient or Other

• Form 810 Must Be Dated and Signed by Either: – The Patient– Legal Guardian if Patient is Minor or

Incompetent– Patient’s Personal Representative

• Psychotherapy Notes Must Be Checked on Form 810

• Authorization Does Not Apply to Other Disclosures

P&P for Psychotherapy Notes: No Authorization Required

• Use by the Originator of the Notes for Treatment

• Use or Disclosure for Supervised Mental Health Training Programs

• Use or Disclosure by IHS in Legal Action or Proceedings Initiated by the Individual

P&P for Psychotherapy Notes: No Authorization Required (Cont’d)

• Use or Disclosure That Is Required by Law• Authorized Disclosure to a Health Oversight Authority

With Respect to the Oversight of the Originator of the Psychotherapy Notes and Used to Report a Serious and Imminent Threat to the Health and Safety of the Patient or a Third Party

• Disclosure Required by the Secretary of the Department of Health and Human Services (HHS) to Investigate IHS Facility Compliance With HIPAA

• Certain Disclosures about Deceased Patients to Coroners or Medical Examiners

Policy for Disclosure of Minors’ PHI

Procedure Is Governed by: • HIPAA Laws• Applicable State Laws

Policy For Disclosure of Minors’ PHI

P&P for PHI of Minors: Request by Minor

Minor Shall: • Designate a Review Representative • Have Direct Access to PHI if Responsible

Department Official (RDO) Determines There Will Be No Adverse Effect

• Provide Identification as Described in Individuals’ Rights to Access, Inspect and Obtain Copy of PHI

P&P for PHI of Minors: Parents, Guardian, or in Loco Parentis

• Requests Must Comply with Verification of Identify P&P

• Parent or Guardian Shall Designate Health Professional to Whom Records Will Be Sent

• Designated Health Professional Makes Judgment As to Whether Invasion of Privacy Is an Issue

• Reasonable Efforts Will Be Made to Inform the Minor

P&P for PHI of Minors: Request by Parents, Guardian, or in Loco

Parentis• Where Law Prohibits, IHS Shall Not Disclose

the Minor’s PHI to the Parent, Guardian or in Loco Parentis

• Where State Law Permits, IHS May Disclose the Minor’s PHI to the Parent, Guardian or in Loco Parentis Unless:– Parental Rights Have Been Terminated– Disclosure Might Endanger Minor– Disclosure is Not In Best Interest of Minor

P&P for PHI of Minors: Request by Parents, Guardian, or in Loco

Parentis• Where State Law Permits, IHS May Disclose the

Minor’s PHI to the Parent or Guardian Unless (cont.)– Minor Has Consented to Service Where Parental Consent is

Not Required Under State Law– Minor Has Requested Parent/Guardian Not Be Treated as

Personal Representative – Parent/Guardian Agrees to Agreement of Confidentiality

between IHS and Minor• The Health Information Management Director or

Designee Shall Determine Whether or Not to Release a Minor’s PHI to the Minor’s Parent or Guardian

P&P for PHI of Minors: Request Requirements

Acceptable Request Submissions:• Form IHS-810• Written Letter From the Parent/Legal

Representative• A Valid Authorization for Disclosure of PHI

From Another Entity

P&P for PHI of Minors: Request Requirements

All Requests Must Have:• Original Signature of the Parent or Legal

Representative• Date of Signature• Description of Information Requested

P&P for PHI of Minors: Other

• Subpoena/Court Order: Contact Area Health Record Consultant for Guidance Before Release

• Law Enforcement: Process Pursuant to Requirements of Law Enforcement Exception

• Law Firms and Insurance Companies: Original Signed Authorization by the Individual, Parent, or Guardian Must Accompany Request

• Medical Examiners: Access to Relevant Information Granted for Performance of Duties As Required by Law

P&P for PHI of Minors

• Prohibition-Redisclosure Statement “This information is intended only for the use of the person or office to which it is addressed, and contains privileged or confidential information protected by law. Unauthorized redisclosure, distribution, or copying of this communication is strictly prohibited from disclosing this health information to any other party unless required by law.”

• File Original Authorization or Written Request in Patient’s Health Record

• Document Information Released in the Disclosure Accounting Record IHS-505

P&P for PHI of Minors: Alcohol/Drug Abuse

Release of PHI to Minor:• Where Law Does Not Require Parental or

Guardian Consent, Access May Be Given Only by the Minor Patient

• Where Law Requires Parental or Guardian Consent, Authorization Must Be Obtained from both Minor and Parent or Guardian

P&P for PHI of Minors: Alcohol/Drug Abuse

• Minor’s Application for Treatment May Be Communicated to the Parent, Guardian, or Other Authorized Person: – With Minor’s Written Consent for Disclosure – If Minor Lacks Capacity to Make a Rational Choice

Regarding Consent– As Allowed or Prohibited by State Law– With Unique Federal Court Order– After Consultation with IHS Regional Attorney

• Minor’s Application for Treatment May Not Be Disclosed to Law Enforcement

P&P for PHI of Minors: Unemancipated Minors

Determination of Whether or Not an Individual Is an Emancipated or Unemancipated Minor Is Determined in the State in Which the IHS Facility Is Located

P&P for Minimum Necessary

• Limit the Use and Disclosure of PHI to the Minimum Necessary Except to – The Patient Requesting Own PHI– Pursuant to a Valid Authorization

• CEO or Service Unit HIPAA Coordinator Identifies Level of Access for Staff

IHS Determines What Is Minimum Necessary, but May Rely on the Judgment of Public Official

• Another Healthcare Provider, Health Plan, or Healthcare Clearinghouse

• Professional Who Is Employee or Contractor of IHS

• Researcher with Appropriate Documentation From Institutional Reply Board (IRB)

• When Requesting PHI From Others, IHS Must Limit Request to That Which Is Necessary to Accomplish Purpose

• Entire Medical Record Shall Only Be Disclosed Upon Justified Request

• Service Unit Director (SUD)/CEO-Designated Person Shall Monitor Compliance with the “Minimum Necessary” Requirement

Does Not Apply to Requests/Disclosures:• By Healthcare Providers for Treatment

Purposes• With Valid Patient Authorization • If Required by Statutes and Regulations• If Required for Compliance with Standard

HIPAA Transactions• To Secretary of HHS, or as Required by

P&P for Disaster Relief

IHS May Use or Disclose PHI During Disaster and/or Disaster Relief Situations to:

• Government Agencies Engaged in Disaster Relief Activities

• Private Disaster Relief or Disaster Assistance Agencies

• If Patient is Present:– Provide Opportunity for Patient to Object or

Obtain Patient Agreement – Complete Verification of Identity Prior to

Disclosing PHI – Document Verification in Health Record

• If Patient is Not Present or is Incapacitated: – Use Professional Judgment– Disclose Only Relevant PHI– Complete Verification of Identity Prior to

Disclosing PHI – Document Verification in Health Record

P&P for Correction/Amendment

• Understanding Form IHS-917• Helping Patient Fill Out Form IHS-917 • Execution of Approvals• Execution of Denials• Appeals and Complaints

• Patient Must Complete Form IHS-917• All Requests Must Be Made in Writing• SUD/CEO Will Date Stamp the Form• Patient Receives Copy of Date Stamped

Form within 10 Business Days• If Decision Can Be Made Within 10

Business Days, Patient Will Be Notified at the Same Time He/She Receives Copy of Form 917

• If Patient Requests Changes to PHI Created by Another Agency, IHS Will Forward Request to That Agency

• Patient Will Be Notified of Approval or Denial Within 60 Days After Receipt of Request

• IHS May Extend Time Period for 30 Days As Allowed by Law

• If IHS Extends Time Period, Patient Will Be Notified of Reasons and Date Request Will Be Acted Upon

• Only One 30-Day Extension Is Allowed• File Form at Site of Contested Entry in the Health

Record and Maintain for Life of Health Record

Execute Approved Corrections As Follows:• Without Erasure or Other Obliteration• Use Single Line Through Incorrect Data • Correct the Information • Add Reason for the Correction• Include Date and Corrector’s Signature

• With Patient Approval, Submit Correction to Persons/Organizations:– That Received Information in the Past – That May Have Relied, or May Rely in the Future,

on the Information – Are Identified by the Patient As Needing the

Correction or Amendment– With Required Statement “This Is an Amendment

to the Information That Was Previously Sent on _______Date___________.”

• Document the Correction in the Accounting Disclosure Record

• Notify the Patient in Writing of Approval

Execute Denial As Follows: • SUD/CEO or Designee Documents

Denial on Form IHS-917• Send Copy to Patient Within 60

Days• File Original Form in Health Record

IHS Will Only Deny a Request for Correction or Amendment Because:

• The Health Information Is Not Part of IHS’s Designated Record Set

• IHS Did Not Create the Record• The Record Is Not Available to the Patient Under

Federal Law• The Record Is Accurate and Complete

• If IHS Did Not Create the Record at Issue and the Originator of the Health Information Is No Longer Available to Act on the Request, IHS Will Address

• Notification of Denial Must Include Notification of Right to Appeal

Appeal Rights: Non-US Citizen• Patient May Submit a Written Description of the

Disagreement• IHS May Prepare a Written Rebuttal to Patient’s

Statement • IHS Will Provide Patient a Copy of the Rebuttal • IHS Written Rebuttal Is Not Subject to

Correction or Amendment

Appeal Rights: Non-US Citizen (cont.)• IHS Must Include Patient Statement, or Accurate

Summary, with Subsequent Disclosures of PHI to Which the Disagreement Relates

• If the Patient Has Not Submitted a Written Statement of Disagreement, Patient May Request that the Request for Amendment, Denial, and/or Accurate Summary Be Included with Future PHI Disclosures that Relate to the Requested Action

Appeal Rights: US Citizens/Legal Aliens• Patient May Appeal the Refusal to Correct or

Amend the Requested Information to the Area Director

• Area Director Must Act on the Appeal Within 30 Working Days of the Patient’s Appeal

• Area Director May Extend the Period for an Additional 30 Working Days for Good Cause

• Area Director Will Inform the Patient in Writing of Any Extension of the Appeal Period and Reason(s) for the Delay

• If Area Director Denies Appeal, or Patient Elects Not to Appeal:– Area Director Will Notify Patient in Writing of the Reasons for

Denial– Area Director Will Advise Patient of His/Her Rights to Submit a

Written Statement of Disagreement and to Seek Judicial Review of Denial

– Patient May Submit a Statement of Disagreement • If the Patient Submits a Written Statement of Disagreement

– Statement and Area Director’s Reasons for Denying Appeal (If an Appeal Was Filed) Will Be Sent to Recipients of Disputed Record, Where an Accounting of the Previous DisclosureWas Made

• Patients May File Complaints About IHS P&P with– SUD– Secretary of HHS

• Patients Who Receive a Denial of His/Her Request for Correction/Amendment May Submit a Written Statement of Disagreement to the SUD/CEO or Designee Within 30 Days of Denial

P&P for Correction/Amendment (cont.)

• The SUD/CEO or Designee Must Respond to Complaint Within 30 Working Days From Receipt of Patient Request for Appeal

• Altered Model Response Letters Should Be Reviewed by Legal Counsel Prior to Use

P&P for Restrictions

• Understanding Form IHS-912-1• Helping Patient Fill Out Form IHS-912-1• Patient Rights • Approved Restrictions• Directories

P&P for Restrictions• Patients Have the Right to Request Restrictions on

the Use and Disclosure of Their PHI to – Carry Out Treatment– Payment and Healthcare Operations– Hospital Directories– Relatives and Family Members– Close Friends– Healthcare Givers – Any Other Person

• IHS Only Required to Agree to Request for Restriction from Hospital Directory

• Request Must Be in Writing• Patient Is Not Required to Provide a Reason• The SUD/CEO or Designee and Appropriate Official

Will Review the Request Prior to Patient Notification (Except for Acceptance of Requests to Omit PHI from Hospital Directories)

• IHS Is Not Required to Agree to Restriction Requests• Before Agreeing to the Restriction, Attempt to Contact

the Regional Attorney

P&P for Restrictions (cont.)

• With Approved Restriction, PHI May Be Used or Disclosed by IHS or Its Business Associate(s) If Restricted PHI is Needed by IHS or Another Healthcare Provider to Provide Emergency Treatment

• Restricted Information Disclosed to a Healthcare Provider for Emergency Treatment Requires the Following Statement:“This Is Restricted Information, Provided for the Purpose of Emergency Treatment, Which Should Not Be Further Disclosed or Used Without the Permission of the Patient to Whom the Information Pertains.”

• Approved Restrictions Do Not Prevent the Following Uses or Disclosures: – Patients Who Request Access to Own Information– Disclosures Required by the Secretary of HHS to

Investigate or Determine Compliance by IHS with the HIPAA Privacy Rule

– Uses and Disclosures of PHI for Hospital Directories Where the Patient Has Not Objected to Such Uses and Disclosures

– Uses and Disclosures Required by Law– Disclosures About Victims of Abuse, Neglect or

Domestic Violence

• Approved Restrictions Do Not Prevent the Following Uses or Disclosures (cont.): – Uses and Disclosures for Health Oversight Activities– Disclosures for Judicial and Administrative Proceedings– Disclosures for Law Enforcement Purposes– Uses and Disclosures About Decedents– Uses and Disclosures for Organ, Eye, or Tissue Donation

Purposes– Uses and Disclosures for Research Purposes– Uses and Disclosures to Avert a Serious Threat to Health or

Safety– Disclosures for Workers’ Compensation– Uses or Disclosures for Which No Authorization Is Required

• IHS May Terminate Approved Restrictions if:– The Patient Agrees to, or Requests, the

Termination in Writing– IHS Informs the Patient That It Is Terminating the

Agreement, in Which Case the Termination Will Be Effective with Respect to PHI Created or Received After IHS Has So Informed the Patient

• When IHS Informs the Patient That It Is Terminating the Agreement, Note Method of Informing, Date, and Signature of the SUD/CEO or Designee in the Record

P&P for Directory

• Present Patient with Notice of Privacy Practices and Follow P&P for Notice of Privacy Practices

• Note Restrictions in Patient’s Record • List Unrestricted Information in Directory• If Incapacitated or Emergency and Patient

Cannot Review Notice, Facility May Disclose in Accordance With Previously Stated Preferences, or in Patient’s Best Interest If Not Previously Stated

P&P for Directory

IHS May Disclose in Directory, Without Patient’s Written Authorization, the Patient’s:

• Name• Location in the Facility• General Condition Description • Religious Affiliation to Clergy

Accounting of Disclosures

• Understanding Form IHS-913• Helping Patient Fill Out Form IHS-913• P&P for Accounting of Disclosures• Disclosures That Do Not Require Accounting• Temporary Suspensions

P&P for Accounting of Disclosures

• Record Disclosures of PHI that Are Subject to an Accounting – In the Disclosure Accounting Record (IHS

Form 505) – Electronically in RPMS ROI Software

• Accountings of Oral Disclosures of PHI Should Also Include the Name, Signature, and Title of Staff Who Made the Oral Disclosure

Patient-Requested Accountings of Disclosure: • Must Be in Writing • Must Include Disclosures to and by IHS

Business Associates• Must Include for Each Disclosure:

– Date of Disclosure– Name and Address of Recipient of Disclosure– Brief Description of the PHI Disclosed– Brief Statement of the Purpose of the Disclosure

or Copy of Request for Disclosure

Disclosures That Do Not Require Accounting Include:• Disclosures to Officers and Employees of the HHS

Who Have a Need for the Information for Purposes of Treatment, Payment, or Operations

• Disclosures to the Secretary That Are Required in Order to Investigate or Determine Compliance with Privacy Requirements

• Disclosures to the Patient• Patient-Authorized Disclosures• Disclosures Required Under the Freedom of

Information Act (FOIA)

When Processing Accountings of Disclosure, IHS:• Must Act on the Request No Later Than 60 Days After

Receipt of the Request• May Extend an Additional 30 Days• Must Inform the Patient in Writing of the Reason(s) for

the Extension• Must Inform the Patient of the Date by Which the

Patient Can Expect the Accounting• Will Retain Copy of Explanation in the Health Record

P&P for Accounting of Disclosures: Temporary Suspensions

Procedure for Law Enforcement Official or Health Oversight Agency to Suspend a Patient’s Right to Receive an Accounting of Disclosures:

• Official/Agency Must Submit a Written Statement that Accounting to the Patient Would Impede the Agency or Official’s Duties

• Request Must Specify Term of Suspension • Disclosures Requiring Accounting Must Be

Documented During Suspension• Patient’s Right to Receive an Accounting Is

Reinstated at End of the Suspension

P&P for Accounting of Disclosures: Temporary Suspensions

• Oral Requests for Suspension Require Documenting the Identity of the Agency or Official Making the Request

• Oral Requests May Exclude Disclosure(s) for No Longer Than 30 Days From the Date of the Request

• If the Agency or Official Provides a Valid Written Request Within 30 Days of the Oral Request, IHS Must Temporarily Suspend the Patient’s Right to an Accounting for the Time Period Specified in the Written Request

Patient Access to Their PHI

• Understanding Patients’ Rights• Requirements for Obtaining PHI• IHS Requirements for Responding to

Requests• Procedure When Access is Granted• Procedure When Access is Not Granted

P&P for Patients’ Rights to Access, Inspect, and Obtain a Copy of

Their Protected PHI

P&P for Patients’ Rights to Access, Inspect, and Obtain a Copy of Their Protected PHI

Patient Requirements for Requesting Access:• Submit Written Request to SUD/CEO or Designee

Specifying the Records the Patient Wants to Access• Designate a Representative to Review the Record

and Inform the Patient of the Contents• Authorize Presence of Any Other Individual Present

During Any Discussion of a Record• Patient May Request Copies of Records in

Accordance with the Fee Schedule

IHS Requirements for Responding to Patient Requests for Access:• SUD/CEO Must Act on Request Within 30 Days If Maintained

or Accessible On-site • SUD/CEO Must Act on Request Within 60 Days If Not

Maintained or Accessible On-site• SUD/CEO May Have One 30-Day Extension• Must Provide Patient With Written Statement of Reason(s) for

Extension and Date on Which IHS Will Respond• All Requests Must Be Maintained in Patient’s Health Record

When Access Is Granted in Whole or in Part:• SUD/CEO Shall Inform Patient in Writing• IHS Must Produce the PHI Only Once Per

Request • Must Produce in Format Requested, if Producible,

or Legible Hard Copy• A Summary or Explanation of the PHI May Be

Provided in Lieu of the Underlying Information If Patient Agrees in Advance, but Patient Still Retains Right to See Entire PHI

P&P for Patients’ Rights to Access, Inspect, and Obtain a Copy of Their

Protected PHIWhen Access Is Granted in Whole or in Part

(cont.):• Must Be Provided at Mutually Convenient

Time and Place for Inspection or Copying• Can Be Mailed If Patient Pays Copying Fee• Note Date the Copy Is Provided in Patient

Chart• Follow P&P for Verification of ID

Protected PHIIHS May Deny Request If: • Does Not Maintain Requested PHI

– If Location is Known, Must Inform Patient and Direct Request to That Place

• Reasonable Anticipation of, or for Use In, Civil, Criminal, or Administrative Actions or Proceedings– Contact Regional Attorney’s Office and

Do Not Note in Patient Health Record

Protected PHIIf IHS Cannot Determine Whether Direct Access to the

Record Will Have Adverse Effect on Patient:• Deny Direct Access to the Patient • Forward Records to Designated Representative to

Review • Notify Patient in Writing• Provide Patient Direct Access If Designated

Representative Does Not Provide the Patient with the Record

P&P for Use and Disclosure of PHI for Research Purposes

• Understanding Use and Disclosure for Research

• IRB Approval Process • IRB Waiver Requirements• Reviews of PHI Prior to Research• Research Involving Decedents’ PHI • Creating Limited Data Sets• Deidentification and Reidentification of PHI

IHS May Use and Disclose PHI for Research When IRB Has Approved, in Whole or in Part, a Waiver of the Patient’s Authorization for Its Use and Disclosure

Review/Approval Process:• The IRB or Designee Signs Statement That

Waiver Was Reviewed and Approved Under Normal and/or Expedited Review Procedures

Documentation of IRB Approval of Waiver Must Include:• A Statement Identifying the IRB and the PHI for

Which the Use/Disclosure Has Been Determined to Be Necessary by the IRB

• Date on Which the Alteration or Waiver of Authorization Was Approved

• Justification that the Research Could Not Practically Be Conducted Without the Alteration or Waiver

• Justification that the Research Could Not Practically Be Conducted Without Access to and Use of the PHI

Statement That IRB Has Determined That Alteration or Waiver, in Whole or in Part, Satisfies the Following:

• Use or Disclosure of PHI Involves No More than Minimal Risk to the Privacy of Individuals

• An Adequate Plan to Protect the Identifiers from Improper Use/Disclosure, Including Reasonable Administrative, Technical, and Physical Safeguards Against Unauthorized Use/Disclosure

Statement That IRB Has Determined That Alteration or Waiver, in Whole or in Part, Satisfies the Following (cont.):

• An Adequate Plan to Destroy the Identifiers at the Earliest Opportunity Consistent with Conduct of the Research, Unless There Is a Health or Research Justification for Retaining the Identifiers, or Such Retention Is Otherwise Required by Law

• Adequate Written Assurances that the PHI Will Not Be Reused or Disclosed to Any Other Person or Entity, Except As Required by Law, for Authorized Oversight of the Research Study if Personal Identifiers Are Removed at the Earliest Opportunity Consistent with the Oversight Activity or for Other Research for Which the Use/Disclosure of PHI Would Be Permitted Under the HIPAA Privacy Rule, the Privacy Act, and any other Applicable Law

Reviews Prior to ResearchAn IHS Facility May Allow PHI to Be Reviewed in

Preparation for Research if the Researcher Demonstrates:

• The PHI for Which Use/Disclosure Is Sought Is Necessary for Research Purposes

• That Use/Disclosure Is Sought Solely As Necessary in Preparation for Research or to Prepare a Research Protocol

• That No PHI Will Be Removed From the Facility by the Researcher in the Course of the Review

Research Involving Decedents’ PHI IHS May Use and Disclose Decedents’ PHI if the

Researcher: • Demonstrates the Use/Disclosure Is Sought Solely

for Research• Demonstrates the PHI for Which Use/Disclosure is

Sought is Necessary for the Research Purposes• Can Provide Documentation of the Decedent’s Death

if Requested

P&P for Creating a Limited Data Set

POLICY: For Purposes of Research, Public Health, or Healthcare Operations, IHS May Disclose Information That Is Not Fully Deidentified If It Creates a Limited Data Set That Complies With the Terms of the HIPAA Regulations, 45 CFR 164.514(e), and This Policy. All Such Disclosures Must Be Made in Accordance With the P&P for Limiting the Use or Disclosure of Protected Health Information to the Minimum Necessary.

Definitions:• PHI Is Health Information that Identifies a Patient, or to

Which There Is a Reasonable Basis to Believe that the Information Can Be Used to Identify the Patient

• Limited Data Set Is PHI That Excludes Specified Identifiers Such as Name, Provider Name, Chart Number, Social Security Number, etc., but that Can Still Potentially Be Linked to a Particular Patient Because it Contains Dates (Including Birth Date, Admission Date, Discharge Date, and Date of Death) and/or Information about the Patient’s City, State or Zip Code

PROCEDURE: The Following Procedures Shall Be Used to Create a Limited Data Set, Which May Be Created Only for the Purposes of Research, Public Health, or Healthcare Operations:

• Exclude the Following Direct Identifiers of the Patient, Relatives, Employers, or other Household Members – Names– Postal Addresses – Telephone Numbers– Fax Numbers– Electronic Mail Addresses– Social Security Numbers– Medical Record Numbers– Health Plan Beneficiary Numbers– Account Numbers– Certificate/license Numbers– Vehicle Identifiers and Serial Numbers, Including License Plate Numbers– Device Identifiers and Serial Numbers– Web Universal Resource Locators (URLs)– Internet Protocol (IP) Address Numbers– Biometric Identifiers, Including Finger and Voice Prints– Full Face Photographic Images and Any Comparable Images

• A Limited Data Set May Contain– Dates of Admission and Discharge– Dates of Birth and Death– Zip Codes, City, and State Information

• IHS May Use or Disclose PHI to a Business Associate in Order to Create a Limited Data Set Whether or Not It is to Be Used by IHS

A Limited Data Set Recipient Must: • Agree in Writing to Use or Disclose the Information

Only for the Purposes or Research, Public Health, or Healthcare Operations

• Sign a Written Data-Use Agreement that Recipient Will:– Establish Permitted Uses and Disclosures of the

Information– Define Who Is Permitted to Use or Receive the Limited

Data Set– Limit Use or Further Disclose the Information Other Than

As Permitted by the Data Use Agreement or As Otherwise Required by Law

A Limited Data Set Recipient Must: • Sign a Written Data-Use Agreement that Recipient

Will (cont.)– Include Appropriate Safeguards to Prevent Use or

Disclosure of the Information Other Than As Provided for by the Data Use Agreement

– Report to the Designated IHS Person Any Improper Use or Disclosure of the Information Not Provided For by Its Data Use Agreement of Which It Becomes Aware

– Ensure That Any Agents, Including Subcontractors, to Whom It Provides the Limited Data Set Agree to the Same Restrictions and Conditions that Apply to the Limited Data Set Recipient with Respect to Such Information

– Not Identify the Information or Contact the Patients

If Data Use Agreement Is Violated, IHS Must Take Reasonable Steps to End the Violation and, if Unsuccessful, Must

• Discontinue Disclosure of PHI to the Recipient

• Report the Problem to the Secretary of DHHS

IHS & Its Employees Must Also:• Comply with the Terms of Any Limited Data

Set Agreement Under Which it Receives Information

• Address Specific Questions Regarding the Implementation of this Policy to the SUD/CEO

P&P for Deidentification and Reidentification of PHI

Deidentification Is Making PHI Individually Unidentifiable Through

• The Removal of Identifiers • Determination Based Upon Statistical and

Scientific Methods

P&P for Deidentification and Reidentification of PHI

Reidentification Is Assigning a Code or Other Means of Record Identification to Allow Deidentified PHI to Be Retrieved and Identified While Maintaining the Anonymity of the Individual

P&P for Deidentification of PHI

The Determination of Whether Health Information Is Individually Identifiable or Whether PHI May Be Deidentified Will Occur:

• When There is no "Need to Know" the Identity of the Patient

• On a Case-by-Case Basis Depending on the Nature of the Request

Removal of Identifiers, Including:• Names

• All Elements of a Street Address, City, County, Precinct, Zip Code, and Equivalent Geocodes, Except for the Initial Three Digits of Zip Code

• All Elements of Dates, Except Year, for Dates Directly Related to the Patient (Except for Age 90 or Older)

• Telephone Numbers, Fax Numbers, E-mail Addresses• Social Security Numbers, Medical Record Numbers• Health Plan Beneficiary Numbers, Account Numbers

• Certificate/License Numbers• License Plate Numbers, Vehicle Identifiers,

and Serial Numbers• Device Identifiers and Serial Numbers• URL Addresses and IP Address Numbers• Biometric Identifiers, Including Finger and

Voice Prints• Full Face Photographic Images and

Comparable Images• Any Other Unique Identifying Number

Knowledgeable Experienced Person • Applies Appropriate Methods and

Determines Risk is Very Small that the Information Could Be Used Alone, or in Combination with Other Available Information, by an Anticipated Recipient of Such Information, to Identify the Patient

• Documents the Methods and Results of the Analysis that Justify the Determination

• Deidentification Will Be Performed at the Origin of the Data, or, in the Case of the Determination Made by a Designated Person, Where Such Person Is Located, As Appropriate

• Hardcopy PHI Will Be Deidentified by Obliterating (Making Unreadable and Unrecognizable) the Individual Identifier(s)

P&P for Reidentification of PHI

IHS May Assign a Code or Other Means of Record Identification to Allow Information to Be Reidentified by IHS Provided that:

• The Code Is Not Derived From or Related To the Information About the Patient

• The Code Is Not Capable of Being Used to Identify the Patient

• IHS Does Not Use or Disclose the Code for Any Other Purpose

• IHS Does Not Disclose the Mechanism for Reidentification that Could Be Used to Link the Code with the Patient

Research

• Delegation of Authority• FAX Machine Usage • Transmittal of Confidential Communication

by Alternate Means• Instructions on Administrative Requirements

Delegation of Authority

• Not Substantially Different Than Previous Policy

• SUD/CEO May Delegate to a Medical Records/Business Office Staff or Other Management Staff Member

• Only the Person Listed in the Document Can Accept or Deny a Change to Records

• Nothing Can Be Agreed to Verbally

Delegation of Authority

FAX Machine Usage

Location:• Not in a Public Area• Use Can Be Monitored Only by the Person(s) Designated to

Conduct Monitoring• Only Authorized Staff Can Have Direct Access to FAX MachineMedical Records Fax Cover Page Must Include: • Facility's Identification• Date of Transmission• Number of Pages Being Transmitted (Including Cover Page)• To: Authorized Receiver's Name, Telephone Number, and FAX

Number• From: Sender's Name, Provider's Name (If Applicable), Sender's

Telephone Number, and FAX Number• Remarks or Special Instructions (If Appropriate)• Confidentiality Statement

Sending Information Via FAX

• Call Receiving Facility to Inform that Records Are Being Sent

• Confirm Fax Number • Confirm That Fax Machine Is in a Secure

Area or Request that Recipient Stand by Machine to Receive

• Reconfirm After Dialing that the Number Displayed on Fax Machine Is Correct Before Hitting “Send”

Sending Information Via FAX

• Confirm Receipt by Calling Recipient or Checking Transmission Report

• If Fax Is Sent to Wrong Machine, Contact Recipient and Request Fax Be Destroyed

• Place Copy of Cover Page and Confirmation of Fax Receipt in Patient’s Medical Record

Receiving Information Via Fax (cont.)

• Remove Medical Information from Machine ASAP

• Count Number of Pages• If Missing Pages, Contact Sender and Request

Retransmittal• Read Fax Cover Page and Follow Instructions• If Facility Has Activity Report Journal (ARJ),

Document Receipt of Fax• If Fax is Printed on Thermal Paper, Photocopy

and Destroy Original Thermal

Receiving Information Via Fax (cont.)

• Notify Intended Recipient that Fax Was Received• Faxed Medical Information that Is Not in a Secure

Area Must Be:– Hand Delivered or – Placed in a Sealed Envelope and Delivered ASAP

• If Fax Is Erroneously Received at Facility:– Inform Sender of Error– Destroy Fax – Note in ARJ if Applicable

P&P for the Transmittal of Confidential Communication by

Alternate Means• Individual Has the Right to Request

Transmittal of PHI by Alternate Means or to an Alternate Location

• Request Must Be Submitted in Writing, Contain the Requested Form of Alternate Means/Location, and Be Addressed to the Patient Registration Office or Other Appropriate Department

• Basis for the Request Is Not Required

P&P for the Transmittal of Confidential Communication by

Alternate Means (cont.)• CEO/SUD Will Approve or Disapprove All

Requests• Whenever Possible, Decision Will Be Given Prior

to the Patient Leaving the Facility• When Alternate Means Would Affect Third-Party

Payment, the Individual Must Specify How Payment Will Be Handled

• Requests Must Be Filed in Health Record

Instructions on Administrative Requirements

• Designate Official HIPAA Contact Person• Training:

– To All Employees, Volunteers, and Contactors– New Employees – Within 30 Days– To Designated Staff As Policies Are Revised– Shall Be Documented and Documentation

Maintained for Six Years• Safeguards:

– Enact P&P to Safeguard PHI in Compliance with Privacy Act and HIPAA Regulations for Both Paper and Electronic Records

Complaints Shall Be Addressed to SUD/CEO or Designee and Must Be Documented, Maintained, and Filed with Explanation of Resolution

IHS and Its Facilities Shall Not Invoke Sanctions Against Its Employees Under the Following Conditions:

• Whistleblower • Health Oversight or Public Health Authority Authorized

by Law to Investigate• Attorney Retained by Employee for Purpose of

Determining Legal Options • Disclosure of Employees Who Are Victims of Crime to a

Law Enforcement Official, with Limitations

• IHS Shall Take Reasonable Steps to Ensure Mitigation of a Disclosure or Violation

• IHS Shall Refrain From Intimidating Acts Against Patients and Employees for Exercising Rights Under HIPAA Privacy Rule

• IHS Shall Not Require Individuals to Waive Right to File Complaints

• IHS Shall Develop P&P for HIPAA and a Process Shall Be Established for Revisions to Reflect Future Changes

• Know IHS HIPAA Forms, P&P• Avoid Incidental Disclosures• Refer Questions or Concerns to HIPAA

Coordinator, Area Office Health Records Management, or Regional Counsel

Training Materials, Forms, Policies, Procedures, Updates, FAQs, Quick Reference Cards, and

More are Available at www.ihs.gov

Q&A Summary

The Health Insurance Portability · The Health Insurance Portability & Accountability Act...

Documents

Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA ... · Health Insurance Portability and Accountability Act ... HIPAA Security Training . ... Employees who fail to comply

Reimbursement and The Health Insurance Portability and ... · Portability and Accountability Act (HIPAA) Introduction The Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA) … · 2020-05-27 · HIPAA • The Health Insurance Portability and Accountability Act of 1996 • Federal law mandates

HIPAA Training: Health Insurance Portability and Accountability Act

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

Health Insurance Portability & Accountability Act (HIPAA) April 2005

The Health Insurance Portability and Accountability Act ... · The Health Insurance Portability and Accountability Act (HIPAA) and Strategies for Implementation in a ... Health Insurance

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OVERVIEW

Health Insurance Portability and Accountability Act of 1996 (HIPAA…ucnet.universityofcalifornia.edu/tools-and-services/... · 2018-02-22 · The Health Insurance Portability and

HILLSBOROUGH COUNTY HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA ... · 2020-05-06 · hillsborough county health insurance portability and accountability act (hipaa)

HIPAA: Privacy/Info Security...Health Insurance Portability & Accountability Act – Instruction Session I completed the instruction session on the Health Insurance Portability & Accountability

Health Insurance Portability and Accountability Act in Vermont: HIPAA

Health Insurance Portability & Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act

Health Insurance Portability and Accountability Act ... · Insurance Portability and Accountability Act (HIPAA) ... the Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA) CCAC

The Health Insurance Portability and Accountability Act

HIPAA Overview (Health Insurance Portability and Accountability Act 1996)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT 1996